Cryptanalysis of Two Candidate Fixes
of Multilinear Maps over the Integers
Jean-Sébastien Coron1 , Tancrède Lepoint2 , and Mehdi Tibouchi3
1
3
University of Luxembourg
[email protected]
2
CryptoExperts, France
[email protected]
NTT Secure Platform Laboratories, Japan
[email protected]
November 30, 2014
Abstract. Shortly following Cheon, Han, Lee, Ryu and Stehlé’s attack against the multilinear map
of Coron, Lepoint and Tibouchi (CLT), two independent approaches to thwart this attack have been
proposed on the cryptology ePrint archive, due to Garg, Gentry, Halevi and Zhandry on the one hand,
and Boneh, Wu and Zimmerman on the other. In this short note, we show that both countermeasures
can be defeated in polynomial time using extensions of the Cheon et al. attack.
1
Introduction
Soon after Garg, Gentry and Halevi proposed a first candidate cryptographic multilinear map
in [GGH13], multilinear maps and their applications became a very active area of research in the
cryptologic community. However, all current candidate constructions [GGH13,CLT13,GGH14] are
only approximate multilinear maps. In particular, they require a trusted setup to create public
parameters from secret values; whoever learns these values can break all security notions related to
multilinear maps.
Recently, Cheon, Han, Lee, Ryu and Stehlé described an attack using low-level encodings of
zero [CHL+ 14] against Coron, Lepoint and Tibouchi’s candidate multilinear map over the integers
(CLT) [CLT13]. This attack recovers the secret factors of the public modulus in polynomial time,
which breaks the construction completely.
A week after Cheon et al.’s attack was made public, two different approaches to patch the CLT
multilinear map have been independently proposed by Garg, Gentry, Halevi and Zhandry [GGHZ14,
Sec. 7]1 , and Boneh, Wu and Zimmerman [BWZ14]. In essence, these countermeasures modify the
form of the CLT encodings in an attempt to remove the multiplicative structure obtained during
the zero-testing procedure in Cheon el al.’s attack.
Our Results. In this report, we show that both proposed countermeasures are insecure. They
are susceptible to direct extensions of Cheon et al. attack, that will still recover the factorization
of the public modulus (and hence all secret parameters) in polynomial time. Proof-of-concept
implementations of our attacks are available at https://github.com/coron/cltattack.
2
The CLT Multilinear Map Scheme
In this section, we recall the multilinear map scheme (CLT) of Coron, Lepoint and Tibouchi [CLT13].
From a given security level λ and a target multilinearity level κ, a trusted setup phase outputs
the public parameters from secret values.
Qn In particular, it generates n secret primes p1 , . . . , pn and
publishes the public modulus x0 = i=1 pi (where n is large enough to ensure correctness and
1
The revised version of [GGHZ14] of November 12 2014 can be accessed from the cryptology ePrint archive.
security), and generates a random invertible z ∈ Zx0 multiplicative mask. The (possibly secret)
encoding space is a ring R = Zg1 × · · · × Zgn for primes gi ’s.
A level-k encoding c of some m = (m1 , . . . , mn ) ∈ R is an integer c such that, for all 1 6 i 6 n:
c≡
ri · gi + mi
zk
(mod pi )
(1)
where ri is uniformly distributed from a bounded distribution with at least λ bits of entropy. The
integer c is therefore defined modulo x0 by CRT. Encodings can be homomorphically processed
as long as the noises ri ’s do not wrap modulo pi : if c is a level-k encoding of m ∈ R and c0 is a
level-k 0 encoding of m0 ∈ R, then c · c0 mod x0 is a level-(k + k 0 ) encoding of m · m0 , and when
k = k 0 , c + c0 mod x0 is a level-k encoding of m + m0 .
For level-κ encodings, the trusted setup publishes a zero-testing parameter2 pzt such that
pzt =
n
X
hi · [gi−1 · z κ mod pi ] · (x0 /pi ) mod x0 ,
i=1
where the hi ’s are uniformly distributed from a bounded distribution with at least λ bits of entropy.
Given a level-κ encoding c as in Equation (1), one can compute ω = pzt · c mod x0 , which gives:
ω=
n
X
hi · ri + mi · (gi−1 mod pi ) · (x0 /pi ) mod x0 .
i=1
The multilinear map parameters are chosen so that if mi = 0 for all i, using the bounds on the ri ’s
and hi ’s, the integer ω is small compared to x0 ; respectively if at least one of the mi 6= 0, w will
roughly be of the same size as x0 due to the uncanceled gi−1 in the expression above. This enables
to test whether c is an encoding of 0 ∈ R or not.
Since the leading bits of ω only depend on the mi ’s and not on the noises ri ’s, this enables
to extract from level-κ encodings a function of the mi ’s only, which eventually defines a degree-κ
multilinear map.
Public Sampling and Rerandomization. In order to allow users to publicly create encodings, the
CLT public parameters contain ` level-0 encodings x1 , . . . , x` of random ring elements (as defined
in Equation (1)). The public sampling procedure then amounts in a subset-sum of these xi ’s, and
by the leftover-hash lemma one obtains a level-0 encoding of a nearly uniform m ∈ R.
Now, level-0 encodings can be turned in level-k encodings for any k 6 κ using (powers of) a
public level-1 encoding y of 1 = (1, . . . , 1) ∈ R. Without loss of generality and for simplicity, we
assume k = 1 as in [CLT13]. To avoid a naive division after multiplying by y, the public parameters
contains τ > n level-1 encodings x01 , . . . , x0τ of 0 ∈ R. Following a multiplication by y, the resulting
encoding is rerandomized by a subset-sum of the x0i ’s: the output of the rerandomization procedure is
nearly independent from the randomness of the input by a left-over hash lemma over lattices [CLT13,
Sec. 4].
3
The Cheon et al. Attack
Recently, Cheon et al. proposed an attack against the CLT scheme [CHL+ 14]. This attack makes
use of low-level encodings of 0: if such encodings are made public, one can recover in polynomial
time all values supposed to be kept secret. In particular, one can use the values x0i ’s used by the
rerandomization procedure. Therefore the Cheon et al. attack completely breaks the CLT scheme.
2
In [CLT13], it publishes a vector of such elements. Since Cheon et al. attack, and ours, do not require more than
one element (e.g. the first element of the vector), we omit such setting for simplicity.
2
Let us recall the attack briefly. We describe a slight simplification of [CHL+ 14] in which we use
a single ciphertext c instead of two ciphertexts c0 and c1 . This enables to obtain as eigenvalues
directly the CRT components of c, instead of ratios of the CRT components of c0 and c1 .
Let c be a level-0 encoding with c = ci mod pi . Let y be a level-1 encoding of 1 ∈ R, let
0
0 · g /z mod p , and x be level-1 encodings where
xj be level-1 encodings of 0 ∈ R with x0j = rij
i
i
j
xj = xij /z mod pi .
For 1 6 j, k 6 n, we can compute:
ωjk = [(c · xj · x0k · y κ−2 ) · pzt ]x0
(2)
and we have:
ωjk =
n
X
hi · [(c · xj · x0k · y κ−2 ) · z κ · gi−1 mod pi ] · (x0 /pi )
i=1
=
n
X
0
xij h0i ci rik
mod x0
(3)
i=1
where h0i = hi · [y κ−2 mod pi ] · (x0 /pi ). Equation (3) actually holds over the integers (instead of only
modulo x0 ), because the previous encoding is an encoding of 0, and therefore ωjk is smaller than
x0 . Therefore we can write:
n
X
0
ωjk =
xij h0i ci rik
i=1
0 ’s. By spanning
over the integers. We note that ωjk is a quadratic form in the xij ’s and the rik
1 6 j, k 6 n, one can construct a matrix W c = (ωjk )16j,k6n such that
where X = (xij ·
h0i )16j,i6n
Wc = X × C × R,

c1
 c2

0 )
and R = (rik
16i,k6n and C = 
..

.



.

cn
Finally, one can publicly compute:
−1
W = W c · W −1
,
I =X ×C ×X
where I = 1, which is a level-0 encoding of 1; this means that for WI we take c = 1 in Equation (2).
Since C is a diagonal matrix, by computing the eigenvalues of W one can recover the ci ’s, and
then the pi ’s. Finally, Cheon et al. describe how to recover all the other secret values in [CHL+ 14].
Remark 1. One can also use the following optimization: perform all computations modulo a known
prime q instead of over Q. It suffices to choose q to be slightly larger than the ci ’s, so that these
components can be recovered from their value modulo q. Therefore we can perform all computations
modulo a prime q of size O(log2 max |ci |) bits, instead of integers of size O(log2 x0 ) bits.
4
Cryptanalysis of the Garg et al. Countermeasure
A transformation of CLT multilinear maps is described by Garg, Gentry, Halevi and Zhandry in
[GGHZ14] in order to resist the Cheon et al. attack. The technique consists in embedding a CLT
encoding into a matrix of encodings; the goal is to eliminate the native encodings of zero that
enables the Cheon et al. attack. In this section we show that the countermeasure is insecure; namely
we show an extension of the Cheon et al. attack that can recover all secret parameters in polynomial
time, as in the original attack.
3
The Garg et al. countermeasure. Let c be a native level-i CLT encoding of some m ∈ R; then
the level-i matrix encoding of the same m ∈ R is a 2κ + 1 matrix U of the form:




$ 0 ... 0

 0 $ ... 0 





U = T ×  .
× T −1 

.
.. 

 ..

0 0
...
c
x0
where the ‘$’s represent native CLT encodings of random elements at level i, the 0’s are native
encodings of zero at level i, and T is a random (2κ + 1) × (2κ + 1) matrix modulo x0 , the same
for all encodings. To allow for rerandomization of encodings, one publishes matrix encodings of 0.
With enough such matrix encodings of 0, one can rerandomize U , as in the original CLT scheme.
Zero-testing is done as follows. The CLT single-element zero-test parameter pzt is replaced by
two vectors qzt = (s, t) defined as follows:
s = [($ . . . $ 0 . . . 0 $) × T −1 ]x0
and
t = [T × (0 . . . 0 $ . . . $ $)T × pzt ]x0
where 0 and ‘$’ are level-0 native CLT encodings of zero and random elements. Given a matrix U
as above at level κ, one computes:
ω = s × U × t mod x0 .
This gives:
ω = ($ × c + 0) · pzt mod x0
where ‘$’ is a level-0 native CLT encoding, and 0 is a level-κ native CLT encoding of zero. Since
($ × c + 0) is a CLT encoding of 0 when c is (and whp is not when c is not), we get a zero-testing
procedure for c, that is ω is small compared to x0 if U is an encoding of zero (and whp is not when
U is not).
Our Attack. We consider a matrix encoding C of zero at level 0, and we write:




$ 0 ... 0

 0 $ ... 0 




−1 
C = T ×  .
×
T

 = [T × C ∗ × T −1 ]x0 .
..

 ..


.
0 0 ... c
x
(4)
0
We consider two other matrices X and R which are encodings of 0 at level κ − 1 and 1 respectively,
so that we can compute:
ω = s × X × C × R × t mod x0 .
Writing x = s × X × T and r = T −1 × R × t, we get:
ω = x × C ∗ × r mod x0 .
Since C is an encoding of 0, we have that the integer ω is small compared to x0 .
We note that ω is a quadratic form in x and r. Moreover, we know that in the original CLT
scheme, ω is a linear form in the n CRT components ci of a CLT encoding c at level κ, with
c = ci /z κ mod pi . We can therefore expand the previous vectors and matrices from dimension 2κ + 1
to dimension (2κ + 1) · n, and write:
ω = x̂ × Ĉ ∗ × r̂
where the (i · (2κ + 1) + j)-th coefficient of x̂ is xj mod pi ; similarly Ĉ ∗ is a square matrix of
dimension (2κ + 1) · n which is block-diagonal, with the n sub-matrices C ∗ mod pi on the diagonal.
4
Now by applying the Cheon et al. attack, we can recover the characteristic polynomial of Ĉ ∗
over Z. Namely as in the Cheon et al. attack, instead of using single vectors x̂ and r̂, we can use
(2κ + 1) · n such vectors, so that we obtain a matrix:
WC = X̂ × Ĉ ∗ × R̂ .
As in the Cheon et al. attack we do this twice, once with WC and once with WI , where I is the
identity matrix. We can then compute:
WC · WI−1 = X̂ × Ĉ ∗ × X −1 .
We can therefore compute over Z the characteristic polynomial f (x) of Ĉ ∗ .
If the matrix C ∗ in (4) was diagonal, then the eigenvalues of WC · WI−1 , which are the same as
the eigenvalues of Ĉ ∗ , would give the CRT components modulo pi of all native CLT encodings in
the diagonal of C ∗ , from which one could recover the pi ’s and all secret values.
Now the matrix C ∗ is not diagonal, hence we proceed as follows. Since Ĉ ∗ is block-diagonal
with the sub-matrices C ∗ mod pi on the diagonal, the characteristic polynomial f (x) of C ∗ is
the product of the characteristic polynomials fi (x) of the sub-matrices C ∗ mod pi . Therefore we
compute the factorization of f (x) in Z:
f (x) =
n
Y
fi (x) .
i=1
This can be done in polynomial time. Since fi is also the characteristic polynomial of the matrix
C mod pi , by the Cayley-Hamilton theorem we have:
fi (C) = 0 mod pi
for all 1 6 i 6 n. Therefore the secret pi ’s can be recovered by taking the gcd of one non-zero
coefficient of the matrix fi (C) with x0 .
5
Cryptanalysis of Boneh et al. Countermeasure
In a recent paper, Boneh, Wu and Zimmerman described another transformation of CLT multilinear
maps in order to resist the Cheon et al. attack [BWZ14]. In this section we show that this
transformation is also insecure.
The Boneh et al. Countermeasure. For simplicity we describe the countermeasure in the
symmetric setting. We also assume that the message space ZN is the direct product Zg1 × · · · × Zgn ;
that is we take Θ = 1 in [BWZ14] —our attack naturally extends to any Θ. Following [BWZ14] we
denote an encoding of an element x ∈ ZN by [x1 , . . . , xn ] where x = xi mod gi for all 1 6 i 6 n.
The transformation creates a new multilinear map ZMM with the same domain ZN . For this
it uses CLT with 2 additional slots, therefore a total of n + 2 slots, with a domain ZN 0 such that
N 0 = N · gn+1 · gn+2 . In the new multilinear map, an encoding of an element x ∈ ZN is the pair of
native CLT encodings with n + 2 slots:
c = (xL , xR ) = [x1 , . . . , xn , ζ, νL ], [η1 , . . . , ηn , ζ, νR ]
where the scalars ζ, νL , νR and η1 , . . . , ηn are chosen at random in the appropriate rings Zgi .
To zero-test such encoding c, two additional native CLT encodings are made public:
tL = [1, . . . , 1, 1, 0] and tR = [0, . . . , 0, 1, 0] .
We want to test whether (x1 , . . . , xn ) = (0, . . . , 0). For this we compute:
ω = pzt · (xL · tL − xR · tR ) .
We see from the structure of the native CLT encodings xL , xR , tL and tR that xL · tL − xR · tR is
an encoding of 0 iff x = 0. Therefore ω is small compared to x0 if c is a ZMM encoding of zero (and
whp is not when c is not).
5
Our Attack. We see that ω is still a 2(n + 2) linear form in the CRT components of the CLT
encodings xL and xR . Therefore the attack of Cheon et al. is easily extended by using matrices of
dimension 2(n + 2) instead of n. This enables to recover all secret parameters.
References
[BWZ14] Dan Boneh, David J. Wu, and Joe Zimmerman. Immunizing multilinear maps against zeroizing attacks.
Cryptology ePrint Archive, Report 2014/930, 2014. http://eprint.iacr.org/.
[CHL+ 14] Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu, and Damien Stehlé. Cryptanalysis
of the multilinear map over the integers. Cryptology ePrint Archive, Report 2014/906, 2014. http:
//eprint.iacr.org/.
[CLT13] Jean-Sébastien Coron, Tancrède Lepoint, and Mehdi Tibouchi. Practical multilinear maps over the integers.
In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology - CRYPTO 2013 - 33rd Annual
Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, volume 8042 of
Lecture Notes in Computer Science, pages 476–493. Springer, 2013.
[GGH13] Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal lattices. In Thomas
Johansson and Phong Q. Nguyen, editors, Advances in Cryptology - EUROCRYPT 2013, 32nd Annual
International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece,
May 26-30, 2013. Proceedings, volume 7881 of Lecture Notes in Computer Science, pages 1–17. Springer,
2013.
[GGH14] Craig Gentry, Sergey Gorbunov, and Shai Halevi. Graph-induced multilinear maps from lattices. Cryptology
ePrint Archive, Report 2014/645, 2014. http://eprint.iacr.org/.
[GGHZ14] Sanjam Garg, Craig Gentry, Shai Halevi, and Mark Zhandry. Fully secure functional encryption without
obfuscation. Cryptology ePrint Archive, Report 2014/666, 2014. http://eprint.iacr.org/.
6